This week, in a significant win for the American Hospital Association plaintiff, the U.S. District Court for the Northern District of Texas issued an opinion vacating the Department of Health and Human Services’ (“HHS”) guidance on the use of online tracking technologies under HIPAA. At the heart of the dispute was the guidance released by HHS in December of 2022 and then updated again in March of 2024 (collectively, the “Guidance”), which suggested that information collected from unauthenticated website visitors could be considered protected health information (“PHI”) under HIPAA. The Guidance was challenged by hospitals and healthcare providers who argued it exceeded HHS’ statutory authority under HIPAA and imposed unreasonable compliance burdens.
The court took issue with HHS’ broad interpretation of PHI to include a user’s IP address when the user visits a public facing, unauthenticated webpage with information about specific health conditions or healthcare providers (“Proscribed Combination”). It found the Guidance unlawfully expanded the definition of PHI to include data that could not reasonably identify an individual or their health condition without knowing the user’s subjective intent for the visit. This, the court determined, was not supported by HIPAA’s statutory language and exceeded the bounds of HHS’ regulatory authority.
Granting partial summary judgment to the plaintiffs, the court declared the Proscribed Combination unlawful and ordered its vacatur. This means the Guidance related to the Proscribed Combination cannot be enforced and must be removed from the Guidance. The court denied the request for a permanent injunction, considering vacatur a sufficient remedy to address the plaintiffs’ concerns and restore the status quo.
Implications for Healthcare Providers and Patients
This ruling reaffirms the limits of regulatory authority under HIPAA, ensuring that any expansion of definitions or enforcement actions must be clearly grounded in the statute. Secondly, it acknowledges the complexities of managing PHI in the digital era, balancing the need for privacy and security with the practical realities of internet use for health-related purposes. For healthcare providers, this decision relieves the immediate pressure of complying with an onerous rule under HIPAA that would have drastically altered how health information must be managed online. Note that the Guidance related to the authenticated portion of a healthcare providers website still stands and healthcare providers should still ensure that any web tracking on authenticated portions of the website complies with HIPAA.
Looking Ahead
While this decision is a significant victory for the American Hospital Association and its co-plaintiffs, the broader issue of tracking website visitors will continue to be an issue for covered entities in an increasingly digital world. As technology continues to advance, both regulators and the healthcare industry will need to collaborate closely to ensure that patient privacy is safeguarded and transmitted in compliance with a complex patchwork of state privacy laws, contract protections, and private rights of action, without stifling innovation to the detriment of efficient, quality delivery of healthcare services.